masscanned
v0.2.0
Masscanned (名字的靈感當然是來自masscan)是一個網路回應器。其目的是為盡可能多的協議提供通用答案,並儘可能少地假設客戶的意圖。
讓他們先說。
就像 Masscan 一樣, masscanned實現了自己的用戶層網絡堆棧,與 honeyd 類似。它旨在盡可能與掃描器和機會主義機器人進行交互,並支援盡可能多的協議。
例如,當它收到網路封包時:
ARP who is-at和ARP is-at (針對其 IP 位址)的大量掃描答案,ICMP Echo Reply ICMP Echo Request進行批量掃描答复,TCP SYN/ACK批次掃描TCP SYN (任何連接埠)的應答,HTTP 401網頁對透過TCP/UDP (任何連接埠)的HTTP請求(任何動詞)進行批次掃描。 
Masscanned目前支援最常見的 2-3-4 層協定以及一些應用協定。
$ cargo build
# ip netns add masscanned
# ip link add vethmasscanned type veth peer veth netns masscanned
# ip link set vethmasscanned up
# ip -n masscanned link set veth up
# ip addr add dev vethmasscanned 192.168.0.0/31
# ip netns exec masscanned ./target/debug/masscanned --iface veth -v[vv]
# arping 192.168.0.1
# ping 192.168.0.1
# nc -n -v 192.168.0.1 80
# nc -n -v -u 192.168.0.1 80
...
# apt install docker.io
$ cd masscanned/docker && docker build -t masscanned:test .
$ docker run --cap-add=NET_ADMIN masscanned:test
# arping 172.17.0.2
# ping 172.17.0.2
# nc -n -v 172.17.0.2 80
# nc -n -v -u 172.17.0.2 80
...
Masscanned的一個很好的用途是將其部署在具有一個或多個公共 IP 位址的 VPS 上。
要使用結果,最好的方法是捕獲Masscanned正在偵聽/回應的介面上的所有網路流量。然後可以使用 zeek 分析 pcap,並且通常可以將輸出檔案推送到IVRE實例中。
有關如何在 VPS 上部署Masscanned實例的文件即將發布(請參閱問題 #2)。
Network answering machine for various network protocols (L2-L3-L4 + applications)
Usage: masscanned [OPTIONS] --iface <iface>
Options:
-i, --iface <iface>
the interface to use for receiving/sending packets
-m, --mac-addr <mac>
MAC address to use in the response packets
--self-ip-file <selfipfile>
File with the list of IP addresses handled by masscanned
--self-ip-list <selfiplist>
Inline list of IP addresses handled by masscanned, comma-separated
--remote-ip-deny-file <remoteipdenyfile>
File with the list of IP addresses from which masscanned will ignore packets
--remote-ip-deny-list <remoteipdenylist>
Inline list of IP addresses from which masscanned will ignore packets
-v...
Increase message verbosity
-q, --quiet
Quiet mode: do not output anything on stdout
--format <format>
Format in which to output logs [default: console] [possible values: console, logfmt]
-h, --help
Print help information
-V, --version
Print version information
masscanned對ARP請求的應答,針對以masscanned處理的IPv4位址為目標的請求(即,使用選項-f給予的 IP 位址檔案中的位址)。
答案包含以下可能的MAC位址中的第一個:
-a指定的MAC位址(如果有),-i指定的介面的MAC位址(如果有),masscanned預設MAC位址,即c0:ff:ee:c0:ff:ee 。 當且僅當滿足以下要求時,才會對Ethernet訊框進行masscanned :
幀的目標位址應由masscanned處理,這意味著:
masscanned自己的MAC位址,MAC位址ff:ff:ff:ff:ff:ffmasscanned (RFC 1112) 處理的IPv4位址之一相對應的多播MAC位址,masscanned處理的IPv6位址之一相對應的多重播送MAC位址; EtherType欄位是ARP 、 IPv4或IPv6之一。
注意:即使對於非多播 IP 位址, masscanned也會回應尋址到對應多播MAC位址的 L2 訊框。例如,如果masscanned處理10.11.12.13 ,它將回應尋址到01:00:5e:0b:0c:0d的訊框。
只有在滿足以下條件時,才會對IPv4和IPv6封包進行masscanned答案:
IP位址(即未指定-f選項或檔案為空),或者
masscanned處理的 IP 位址之一。另一個要求是支援下一層協定 - 請參閱下文。
IPv4封包支援以下 L3+/4 協定:
ICMPv4UDPTCP如果下一層協定不是其中之一,則資料包將被丟棄。
IPv6封包支援以下 L3+/4 協定:
ICMPv6UDPTCP如果下一層協定不是其中之一,則資料包將被丟棄。
當且僅當滿足以下條件時,才會對ICMPv4封包進行masscanned應答:
ICMP類型是EchoRequest ( 8 ),ICMP代碼為0 。如果滿足這些條件,則會使用EchoReply ( 0 ) 類型、代碼0和與傳入封包相同的負載的ICMP封包進行masscanned應答,如 RFC 792 所指定。
當且僅當滿足以下條件時,才會對ICMPv6封包進行masscanned應答:
ICMP型別為NeighborSol ( 135 )且:masscanned IP(v4 或 v6)masscanned之一在這種情況下,答案是帶有masscanned MAC位址的Neighbor Advertisement ( 136 ) 封包
或者
ICMP類型是EchoRequest ( 128 )在這種情況下,答案是EchoReply ( 129 ) 資料包。
對以下TCP資料包進行masscanned答案:
PSH和ACK , masscanned檢查SYNACK-cookie ,如果有效答案至少有一個ACK ,或者如果檢測到支援的協定(第 5/6/7 層),則為PSH-ACK ,ACK ,則忽略它,RST或FIN-ACK ,則忽略它,SYN ,則masscanned會嘗試模仿標準 Linux 堆疊的行為 - 即:PSH 、 URG 、 CWR 、 ECE以外的其他標誌,則忽略SYN ,CWR和ECE同時設置,則SYN被忽略,SYN-ACK封包masscanned ,並在序號中設定SYNACK-cookie 。 當且僅當上層協定處理並提供答案時,才會對UDP封包進行masscanned答案。
對任何具有401 Authorization Required HTTP請求(任何有效動詞)進行masscanned答案。請注意,帶有無效動詞的HTTP請求將不會得到回應。
例子:
$ curl -X GET 10.11.10.129
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
$ curl -X OPTIONS 10.11.10.129
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
$ curl -X HEAD 10.11.10.129
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
Warning: way you want. Consider using -I/--head instead.
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
$ curl -X XXX 10.11.10.129
[timeout]
例子:
$ stun 10.11.10.129
STUN client version 0.97
Primary: Open
Return value is 0x000001
對SSH Client: Protocol訊息masscanned ,其中包含以下Server: Protocol訊息:
SSH-2.0-1rn
masscanned對Negotiate Protocol Request資料包的應答,以便客戶端發送NTLMSSP_NEGOTIATE , masscanned會透過質詢進行應答。
例子:
##$ smbclient -U user \\10.11.10.129\shared
Enter WORKGROUPuser's password:
IN類和A類DNS查詢的masscanned答案(目前)。它提供的答案始終包含查詢發送到的 IP 位址。
例子:
$ host -t A masscan.ned 10.11.10.129
Using domain server:
Name: 10.11.10.129
Address: 10.11.10.129#53
Aliases:
masscan.ned has address 10.11.10.129
$ host -t A masscan.ned 10.11.10.130
Using domain server:
Name: 10.11.10.130
Address: 10.11.10.130#53
Aliases:
masscan.ned has address 10.11.10.130
$ host -t A masscan.ned 10.11.10.131
Using domain server:
Name: 10.11.10.131
Address: 10.11.10.131#53
Aliases:
masscan.ned has address 10.11.10.131
$ host -t A masscan.ned 10.11.10.132
Using domain server:
Name: 10.11.10.132
Address: 10.11.10.132#53
Aliases:
masscan.ned has address 10.11.10.132
$ cargo test
Compiling masscanned v0.2.0 (/zdata/workdir/masscanned)
Finished test [unoptimized + debuginfo] target(s) in 3.83s
Running unittests (target/debug/deps/masscanned-f9292f8600038978)
running 92 tests
test client::client_info::tests::test_client_info_eq ... ok
test layer_2::arp::tests::test_arp_reply ... ok
test layer_2::tests::test_eth_empty ... ok
test layer_2::tests::test_eth_reply ... ok
test layer_3::ipv4::tests::test_ipv4_reply ... ok
test layer_3::ipv4::tests::test_ipv4_empty ... ok
test layer_3::ipv6::tests::test_ipv6_empty ... ok
test layer_3::ipv6::tests::test_ipv6_reply ... ok
test layer_4::icmpv4::tests::test_icmpv4_reply ... ok
test layer_4::icmpv6::tests::test_icmpv6_reply ... ok
test layer_4::icmpv6::tests::test_nd_na_reply ... ok
test layer_4::tcp::tests::test_synack_cookie_ipv6 ... ok
test layer_4::tcp::tests::test_tcp_fin_ack_wrap ... ok
test proto::dns::cst::tests::class_parse ... ok
test layer_4::tcp::tests::test_tcp_fin_ack ... ok
test layer_4::tcp::tests::test_synack_cookie_ipv4 ... ok
test proto::dns::cst::tests::type_parse ... ok
test proto::dns::header::tests::parse_byte_by_byte ... ok
test proto::dns::header::tests::repl_id ... ok
test proto::dns::header::tests::repl_opcode ... ok
test proto::dns::header::tests::repl_ancount ... ok
test proto::dns::header::tests::repl_rd ... ok
test proto::dns::query::tests::parse_in_a_all ... ok
test proto::dns::header::tests::parse_all ... ok
test proto::dns::query::tests::repl ... ok
test proto::dns::query::tests::reply_in_a ... ok
test proto::dns::rr::tests::parse_all ... ok
test proto::dns::rr::tests::parse_byte_by_byte ... ok
test proto::dns::query::tests::parse_in_a_byte_by_byte ... ok
test proto::dns::tests::parse_qd_all ... ok
test proto::dns::tests::parse_qd_byte_by_byte ... ok
test proto::dns::rr::tests::build ... ok
test proto::dns::tests::parse_qd_rr_all ... ok
test proto::dns::tests::parse_qr_rr_byte_by_byte ... ok
test proto::dns::tests::parse_rr_byte_by_byte ... ok
test proto::dns::tests::parse_rr_all ... ok
test proto::dns::tests::reply_in_a ... ok
test proto::http::tests::test_http_request_line ... ok
test proto::http::tests::test_http_request_no_field ... ok
test proto::http::tests::test_http_request_field ... ok
test proto::http::tests::test_http_verb ... ok
test proto::rpc::tests::test_probe_nmap ... ok
test proto::rpc::tests::test_probe_nmap_split1 ... ok
test proto::rpc::tests::test_probe_portmap_v4_dump ... ok
test proto::rpc::tests::test_probe_nmap_split2 ... ok
test proto::rpc::tests::test_probe_nmap_udp ... ok
test proto::smb::tests::test_smb1_session_setup_request_parse ... ok
test proto::smb::tests::test_smb1_protocol_nego_parsing ... ok
test proto::smb::tests::test_smb1_protocol_nego_reply ... ok
test proto::smb::tests::test_smb1_session_setup_request_reply ... ok
test proto::smb::tests::test_smb2_protocol_nego_parsing ... ok
test proto::smb::tests::test_smb2_protocol_nego_reply ... ok
test proto::smb::tests::test_smb2_session_setup_request_reply ... ok
test proto::smb::tests::test_smb2_session_setup_request_parse ... ok
test proto::ssh::tests::ssh_1_banner_cr ... ok
test proto::ssh::tests::ssh_1_banner_crlf ... ok
test proto::ssh::tests::ssh_1_banner_lf ... ok
test proto::ssh::tests::ssh_1_banner_space ... ok
test proto::ssh::tests::ssh_2_banner_cr ... ok
test proto::ssh::tests::ssh_1_banner_parse ... ok
test proto::ssh::tests::ssh_2_banner_parse ... ok
test proto::ssh::tests::ssh_2_banner_lf ... ok
test proto::ssh::tests::ssh_2_banner_crlf ... ok
test proto::stun::tests::test_change_request_port_overflow ... ok
test proto::stun::tests::test_proto_stun_ipv4 ... ok
test proto::stun::tests::test_change_request_port ... ok
test proto::ssh::tests::ssh_2_banner_space ... ok
test proto::stun::tests::test_proto_stun_ipv6 ... ok
test proto::tcb::tests::test_proto_tcb_proto_state_http ... ok
test proto::tests::dispatch_dns ... ok
test proto::tcb::tests::test_proto_tcb_proto_state_rpc ... ok
test proto::tcb::tests::test_proto_tcb_proto_id ... ok
test proto::tests::test_proto_dispatch_http ... ok
test proto::tests::test_proto_dispatch_ssh ... ok
test proto::tests::test_proto_dispatch_ghost ... ok
test proto::tests::test_proto_dispatch_stun ... ok
test smack::smack::tests::test_anchor_end ... ok
test smack::smack::tests::test_multiple_matches_wildcard ... ok
test smack::smack::tests::test_multiple_matches ... ok
test smack::smack::tests::test_anchor_begin ... ok
test smack::smack::tests::test_http_banner ... ok
test synackcookie::tests::test_clientinfo ... ok
test synackcookie::tests::test_ip4 ... ok
test synackcookie::tests::test_ip4_dst ... ok
test synackcookie::tests::test_ip4_src ... ok
test synackcookie::tests::test_ip6 ... ok
test synackcookie::tests::test_key ... ok
test synackcookie::tests::test_tcp_dst ... ok
test synackcookie::tests::test_tcp_src ... ok
test smack::smack::tests::test_wildcard ... ok
test smack::smack::tests::test_proto ... ok
test smack::smack::tests::test_pattern ... ok
test result: ok. 92 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.41s
# ./test/test_masscanned.py
INFO test_arp_req......................................OK
INFO test_arp_req_other_ip.............................OK
INFO test_ipv4_udp_dns_in_a............................OK
INFO test_ipv4_udp_dns_in_a_multiple_queries...........OK
INFO test_ipv4_tcp_ghost...............................OK
INFO test_ipv4_tcp_http................................OK
INFO test_ipv4_tcp_http_segmented......................OK
INFO test_ipv4_tcp_http_incomplete.....................OK
INFO test_ipv6_tcp_http................................OK
INFO test_ipv4_udp_http................................OK
INFO test_ipv6_udp_http................................OK
INFO test_ipv4_tcp_http_ko.............................OK
INFO test_ipv4_udp_http_ko.............................OK
INFO test_ipv6_tcp_http_ko.............................OK
INFO test_ipv6_udp_http_ko.............................OK
INFO test_icmpv4_echo_req..............................OK
INFO test_icmpv6_neighbor_solicitation.................OK
INFO test_icmpv6_neighbor_solicitation_other_ip........OK
INFO test_icmpv6_echo_req..............................OK
INFO test_ipv4_req.....................................OK
INFO test_eth_req_other_mac............................OK
INFO test_ipv4_req_other_ip............................OK
INFO test_rpc_nmap.....................................OK
INFO test_rpcinfo......................................OK
INFO test_smb1_network_req.............................OK
INFO test_smb2_network_req.............................OK
INFO test_ipv4_tcp_ssh.................................OK
INFO test_ipv4_udp_ssh.................................OK
INFO test_ipv6_tcp_ssh.................................OK
INFO test_ipv6_udp_ssh.................................OK
INFO test_ipv4_udp_stun................................OK
INFO test_ipv6_udp_stun................................OK
INFO test_ipv4_udp_stun_change_port....................OK
INFO test_ipv6_udp_stun_change_port....................OK
INFO test_ipv4_tcp_empty...............................OK
INFO test_ipv6_tcp_empty...............................OK
INFO test_tcp_syn......................................OK
INFO test_ipv4_tcp_psh_ack.............................OK
INFO test_ipv6_tcp_psh_ack.............................OK
INFO test_ipv4_udp_empty...............................OK
INFO test_ipv6_udp_empty...............................OK
INFO Ran 41 tests with 0 errors
您也可以使用TESTS環境變數選擇要執行的測試
TESTS=smb ./test/test_masscanned.py
INFO test_smb1_network_req.............................OK
INFO test_smb2_network_req.............................OK
INFO Ran 2 tests with 0 errors
動詞:
initrecvsenddrop $ts arp $verb $operation $client_mac $client_ip $masscanned_mac $masscanned_ip
$ts eth $verb $ethertype $client_mac $masscanned_mac
